They’ve Only Just Begun: Hacking the Silver State?

If the President of the US isn’t all that interested in how the Russians hacked and meddled in the 2016 election, voters and voting officials in the US should be, and this includes the state of Nevada.  There are several layers to the issues, the voting itself and the processes which are elements of the total election system.

Voting Machine Vulnerability

The good news is that Nevada has a relatively robust voting system in place that is more difficult for a foreign power — read Russian operatives — to hack, the bad news is that the Sequoia (Dominion) system could still have some issues most related to “insider” attacks

“The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overflows, format string vulnerabilities, and type mismatch errors. In general, the software does not reflect defensive software engineering practices normally associated with high-assurance critical systems. There are many instances of poor or absent error and exception handling, and several cases where the software behavior does not match the comments and documentation. Some of these problems lead to potentially exploitable vulnerabilities that we identified, but even where there may not be an obvious vulnerability identified, the presence of such errors reduces our overall confidence in the soundness of the system as a whole.” [VerifiedVoting]

The problems associated with Nevada’s voting machines are mostly of the variety perpetrated by “insiders,” those who have control of the machines during set up, maintenance, and handling.  This is good news for preventing ‘rigging’ issues in terms of election outcomes being vulnerable to outside forces.  A statement from the Secretary of State describes the election audit system. (pdf)

Voter Registration Record Security

The election voter data isn’t quite so reassuring.  Nevada is a “member” of the Cross Check system.   The system certainly can be used to remove individuals from the voter rolls with deleterious effect, and the exchange between

voting officials and the Nevada ACLU isn’t all that comforting:

Wayne Thorley, Nevada’s deputy secretary of state for elections, counters that the program just matches data and doesn’t target anyone. “Just because someone comes back as a match on the Interstate Crosscheck list, it doesn’t automatically trigger cancellation of their account,” he said. “And then, further investigation is done by the state.” He said Nevada also uses the Electronic Registration Information Center to match names from the Crosscheck list with DMV records. Voters then get a postcard to verify their address and if they don’t respond and don’t vote in two elections, they’re dropped from the rolls. Tod Story, executive director of the Nevada ACLU, worries that the postcard system could be problematic. “It does not seem to be fair and certainly would affect more low-income and minority voters, who tend to be more transient, who are going to move more frequently,” he said. Thorley said that is certainly not the intent. “If that has a disparate impact on members of minority communities, I’m not aware of that,” added Thorley. “But it’s not targeted that way at all. We’re simply following the federal law.”

First, Mr. Thorley should be aware of “that” — there is, and has been demonstrated to be a disparate impact on members of minority groups.  Secondly, the post-card system is, and has been demonstrated to be, an ineffective way of contacting individuals who are ‘challenged’ under the Cross Check system.  [RS]  The results of using the Cross Check system are also not reassuring:

“The program has since expanded to 30 states, according to the National Conference of State Legislatures (NCSL), but it’s been controversial from the start. For one thing, it’s resulted in very few actual cases of fraud being referred for prosecution, as alleged cases of double voting in multiple states turned out to be clerical and other errors. One tally found that while the program has flagged 7.2 million possible double registrants, no more than four have actually been charged with deliberate double registration or double voting. Meanwhile, some states including Florida dropped out of the program due to doubts about the reliability of its data — though others, including the swing state of North Carolina, joined despite those issues.”  [TVN]

Get that? Out of 7.2 million ‘flagged’ 4 individuals have been charged with double registration or double voting.  In addition to obviously being ineffective (A 0.00005.5% catch rate doesn’t seem worth the effort) the collection would appear to be a grand place for a hacker to start if he or she has mischief in mind.

Initial Russian assaults are still a matter of confidentiality, no Secretaries of State have yet been cleared to receive the reports of hacking collected by our security agencies although there is testimony that 21 states were subjected to attacks of some kind. [LAT]  We do know that Illinois was one on the states in which voter registration rolls were hacked.

“The hack had nothing to do with counting the votes in elections in Illinois. The hackers looked at voting registration data: name, address, date of birth, gender and the last four digits in the Social Security number.

The hackers searched through about 80,000 records overall, with the elections board confirming that the records of just under 3,000 voters were viewed by the hackers.” [CST]

The Chicago Sun Times reported how the hack was accomplished, and how it was detected.   The state of Arizona also had a major scare, as reported by Michele Reagan, AZ Secretary of State:

Reagan said she was alerted to the hack after the Federal Bureau of Investigation found a credential — a username and login — for the state system for sale on the dark web.

“It was really frightening and scary considering we’re in charge of almost four million people’s information,” Reagan said.

Reagan said her office had a lot of decisions to make in short amount of time to protect voter safety and took the system offline.

“At that moment in time, the most important thing was what do we do with that database,” she said. “How do we inspect it? We need to make sure that no information was taken, no information was altered, a virus wasn’t inserted into that system.”

She said, while the voter database was hacked, the voting registration system was not.

“We got lucky once,” she said, adding that the state has added multi-factor authentication, required the changing and strengthening of passwords and made other tweaks to better protect the system. [KTAR]

It would be reassuring to know if Nevada has implemented “multi-factor authentication” and other measures to better secure Nevada voter data.

I’ve not read any reports to date assuring me that the Russian hacking was a “one-off” and unlikely to be replicated.  Indeed, nearly every article asserts that what we’ve seen in 2016 was only the beginning.  A few intrusions in anywhere from 21 to 39 states, a peek into voter information data, some attempts to ‘phish” their way into systems — and many warnings that this indicates increasing interest in going deeper into US elections rather than any foray for temporary recreational purposes.

Recommendations

Retain the sanctions placed on the Russians by the Obama Administration, and enact new and greater sanctions on them as proposed by the U.S. Senate.  House Republicans have stalled the bill which passed the Senate on a 98-2 vote. [NYT] As of June 23, 2017 the White House indicated it would step up lobbying efforts against the Russian sanctions bill. [WP]  Those tracking the progress of this bill will want to follow GovTrack S 722.

Review and potentially revise Nevada voter data security processes and products.  Have issues revolving around the infamous Cross Check program been resolved?  Have procedures been adopted that would prevent access such as happened in Illinois and Arizona?

Russian probing, and interference, will not stop…it will be up to the US Congress and the 50 states, to reject their efforts.

 

Advertisements

1 Comment

Filed under Nevada politics, Politics, Vote Suppression, Voting

One response to “They’ve Only Just Begun: Hacking the Silver State?